The Sonicwall Threats Research team has received reports of a new Ransomware named FireCrypt. It is created by a malware kit called BleedGreen. The kit is used to generate FireCrypt executables based on a limited set of options provided including DDoS of the Pakistan Telecommunication Authority website.

The Kit executable file uses the following icon:

The Kit, which requires .NET 4.0 to run uses the Windows Command Prompt as its configuration interface. It mentions its in-built features and provides an option to supply an icon to the generated malware executable:

Infection Cycle:

Once the generated file is run on the target machine it kills Task Manager if running and makes the following DNS Query:

www.pta.gov.pk

It is believed that the following communication to the Pakistan Telecommunication Authority website is part of an intended DDoS attack although it appears to be ineffective:

The Trojan scans the filesystem for files to encrypt. Javascript code that was found embedded in the executable file shows a list of file extensions that the malware looks for to encrypt using AES-256: